Penetration Testing Find Exploitable Vulnerabilities Before Attackers Do
Petronella Technology Group runs CMMC-RP-led penetration testing engagements that map real attack paths through your network, web applications, APIs, wireless, and people. Every finding ships with a CVSS score, MITRE ATT&CK technique tag, and step-by-step remediation guidance auditors and engineers can both act on.
A Real Attack, Run on Purpose
A penetration test is a permission-based, time-boxed simulation of a real cyberattack against your environment. Petronella ethical hackers chain together reconnaissance, vulnerability discovery, exploitation, and lateral movement the same way a financially motivated attacker or nation-state operator would. The result is not a list of theoretical risks - it is a written account of what an attacker could actually do, with what credentials, in what timeframe, and what data they could touch on the way out.
Penetration testing differs from a vulnerability scan, a security questionnaire, or a checklist audit. A scanner reports that a service is missing a patch. A penetration test demonstrates whether that missing patch is actually reachable from the internet, whether the credentials harvested from it pivot into your finance VLAN, and whether the EDR you pay for catches the lateral move. The difference is the same as the difference between a smoke detector that beeps and a fire marshal who walks through the building with a flashlight.
For most regulated organizations the trigger is no longer optional. CMMC 2.0 Level 2 assessments under the new C3PAO regime expect documented security assessment evidence (NIST SP 800-171 control 3.12.1) that a passive review cannot satisfy. PCI DSS v4 Requirement 11.4 mandates annual external and internal penetration testing for any environment that touches cardholder data. HIPAA Security Rule technical evaluation at 45 CFR 164.308(a)(8) assumes a real test, not a self-assessment, when ePHI volumes are non-trivial. Cyber insurance underwriters increasingly attach a pen-test attestation to renewal pricing. The work is no longer a maturity exercise. It is documentary evidence that something held when something tried to break it.
Petronella has been doing this work in North Carolina since 2002. Our team holds CMMC-RP credentials across every engineer. Founder Craig Petronella holds CMMC-RP, CCNA, CWNE (Certified Wireless Network Expert), and a state-issued Digital Forensics Examiner credential, license number 604180. The firm is CMMC-AB Registered Provider Organization number 1449. We hold a BBB A+ rating continuously since 2003. None of those acronyms run a test by themselves, but they tell you who is going to be holding the keys to your environment for the duration of the engagement.
Scope, Exploit, Report
Every engagement collapses to three honest stages, each of which a non-technical board member can follow. The PTES execution standard, NIST SP 800-115 testing guidance, and OWASP Testing Guide v4 all sit underneath these stages as our operational standard.
Scope
We sign a Master Services Agreement and a Rules of Engagement document that name in-scope IP ranges, hostnames, applications, testing windows, blackout periods, emergency contacts, and the precise escalation path when something critical is found mid-test. Reconnaissance begins immediately after sign-off. We map your attack surface using OSINT, certificate transparency logs, DNS history, GitHub leakage searches, breach-data correlation, and active service enumeration. By the end of stage one we know more about your external footprint than your IT director does. That is not a brag - that is the point.
Exploit
We run a layered attack against the agreed scope. Web applications get the OWASP Top 10 plus business-logic abuse. Networks get authenticated and unauthenticated probing, credential spraying against legacy protocols, privilege escalation attempts, and lateral movement once we land. Wireless engagements get rogue AP testing, EAP downgrade, PMKID capture, and client-side relay. Social engineering gets phishing, vishing, and where requested, physical pretexting. We exploit confirmed vulnerabilities only inside the agreed rules of engagement and document evidence as we go. Production stays up. Critical findings are reported the day we find them, not in a final report ninety days later.
Report
You receive an executive summary written for a board, a technical findings appendix written for engineers, and a remediation worksheet your IT team can drop into a ticketing system the next morning. Every finding carries a CVSS v3.1 base and environmental score, a MITRE ATT&CK technique tag, a screenshot or payload trail, a likelihood assessment, and a step-by-step remediation walkthrough. Critical and high findings include a free retest once you have patched. We will also walk the report through your auditor or your insurer if that is part of why the test was commissioned in the first place.
Vulnerability Scan vs Pen Test vs Red Team
Three different products, three different price tags, three different audit conclusions. Buying the wrong one costs more than money - it produces evidence that does not match the question your regulator or your insurer is actually asking.
If a vendor offers you all three of these for the same price as a scan, you are buying a scan with a renamed cover page. Penetration testing is human-led work. The line item that costs is the credentialed operator hour. The deliverable that matters is the narrative that turns a finding into a fix and turns a fix into an audit-ready receipt.
Eight Engagement Types We Run
Each engagement type maps to a specific attack surface. Scope conversations begin with the assets that hold your regulated data, the systems that produce your revenue, and the perimeter your auditor will name in the next report.
Internet-Facing Perimeter
Black-box or gray-box probing of every service your network exposes to the public internet. We enumerate ports, fingerprint services, identify default and weak credentials, attempt to exploit unpatched CVEs, and document the path from an internet-routable address to authenticated access. This is the test that satisfies PCI DSS Requirement 11.4.3 and the external-side of NIST 800-171 control 3.12.1. It is also the test most cyber insurance underwriters reference on the renewal questionnaire.
Assumed Breach Simulation
Operators are given a foothold equivalent to a phished user laptop on the corporate LAN and asked to demonstrate what an attacker would do next. Active Directory abuse, Kerberoasting, NTLM relay, LLMNR poisoning, and credential spraying against legacy protocols all live here. We surface privilege escalation paths to Domain Admin, lateral movement into sensitive segments, and the actual blast radius of a single compromised workstation. This satisfies PCI DSS 11.4.2 and is the single most predictive test of what a real ransomware event would do inside your environment.
OWASP Top 10 Plus Business Logic
Application-layer testing against your web portal, customer dashboard, or partner extranet. We cover injection (SQL, NoSQL, command), broken authentication, sensitive data exposure, XML External Entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, vulnerable components, and insufficient logging. Above the OWASP Top 10 we test business-logic flaws unique to your workflow - price manipulation, IDOR through predictable identifiers, multi-step abuse, race conditions, and authorization bypass through state-machine corner cases. Scope is per-application and priced by complexity of the flows tested.
REST, GraphQL, and Mobile Back Ends
API testing follows the OWASP API Security Top 10. We assess broken object-level authorization, broken user authentication, excessive data exposure, lack of resource controls, broken function-level authorization, mass assignment, security misconfiguration, injection, improper asset management, and insufficient logging. Mobile applications that talk to APIs get binary-side testing of cert pinning, jailbreak detection, and local data storage as part of the engagement. GraphQL endpoints get introspection-based scope expansion, query depth abuse, and resolver-side authorization testing.
Wi-Fi, Rogue AP, and IoT
Wireless engagements probe your enterprise SSID for WPA2 and WPA3 misconfiguration, EAP downgrade, weak EAP-TTLS chains, and PMKID capture against feasible passphrase spaces. We test guest segregation, BYOD segmentation, and the back-channel an attacker would use to reach the corporate VLAN from the parking lot. Founder Craig Petronella holds the CWNE credential, one of the more rigorous wireless certifications available. Rogue AP and evil-twin testing is included. IoT and OT testing is scoped on request.
iOS and Android Binary Testing
Mobile testing follows the OWASP Mobile Application Security Verification Standard. We instrument the binary, audit local storage, validate certificate pinning, examine inter-process communication, fuzz custom URL schemes, and test the API surface the mobile app talks to. The deliverable identifies whether a jailbroken or rooted device can extract credentials, tokens, or PHI; whether the app trusts attacker-controlled certificates; and whether the back-end enforces authorization independently from the client.
Phishing, Vishing, and Pretexting
People-side testing under signed authorization. Targeted phishing campaigns measure click rate, credential-submission rate, and reporting rate; vishing campaigns probe help-desk reset workflows; physical pretexting tests tailgating, vendor-impersonation, and badge-cloning where the engagement includes a physical scope. We report rates by department, by tenure band, and by training cohort - data that lets you target awareness investment instead of buying it by headcount. We do not name individual employees in the executive deliverable.
Goal-Based Adversary Simulation
Where a pen test asks "what can an attacker do here," a red-team asks "can an attacker reach this specific asset, by any means, within 30 days, without you noticing." Goals are agreed in writing - the wire transfer authority, the CAD repository, the patient EHR, the source control tenant. Tactics include initial access through phishing or external exploitation, command-and-control over commodity infrastructure, MITRE ATT&CK technique chaining, and a deliberate test of your detection and response capability. The output is paired with a purple-team debrief that walks your SOC through every step they missed.
Pen Testing for the Framework Your Auditor Is Asking About
Every engagement is mapped to the control catalog the auditor or examiner will use. The deliverable becomes evidence, not an artifact your compliance team has to translate.
CMMC 2.0 Level 1, 2, and 3
Penetration testing supports the Security Assessment family in CMMC Level 1, the CA.L2-3.12.1 and CA.L2-3.12.2 evidence requirements at Level 2, and the expanded assessment cadence at Level 3. Petronella is CMMC-AB RPO #1449 and our deliverables are formatted for direct submission into a C3PAO assessment package.
Requirement 11.4 External and Internal
PCI DSS v4 Requirement 11.4 mandates external and internal penetration testing annually and after any significant change. Segmentation testing under 11.4.5 is scoped per cardholder data environment boundary. Reports are formatted for QSA review and include the network-segmentation attestation auditors look for.
Security Rule 164.308(a)(8) Evaluation
The HIPAA Security Rule technical evaluation requirement at 45 CFR 164.308(a)(8) is satisfied by a documented, periodic penetration test against systems that touch ePHI. We also support the Risk Analysis requirement at 164.308(a)(1)(ii)(A) by feeding pen-test findings into the analysis register. Business Associate Agreement on file.
Trust Services Criteria CC4 and CC7
SOC 2 Type II auditors expect monitoring evidence under CC4 (Monitoring Activities) and CC7 (System Operations). A documented penetration test, with remediation tracking and a retest, is the cleanest evidence available. We coordinate scope with your CPA firm before fieldwork starts.
252.204-7012 Contractor Requirements
NIST SP 800-171 control 3.12.1 (security assessments) and DFARS clause 252.204-7012 expect documented testing of systems that process Controlled Unclassified Information. Findings feed directly into your System Security Plan (SSP) and the Plan of Action and Milestones (POAM) register submitted under 252.204-7020.
Underwriting Attestation
Cyber insurance carriers increasingly require a recent third-party penetration test as part of renewal. We provide a signed attestation letter, the executive summary, and a redacted findings appendix in the format brokers and underwriters expect. The attestation maps to the control questions on the standard application.
Annex A.12.6.1 Vulnerability Management
ISO 27001 Annex A.12.6.1 expects documented technical vulnerability management. A.18.2.3 expects technical compliance review. Both are best evidenced by a periodic penetration test rather than scan-only data. We coordinate with your ISMS lead and provide findings tagged to the control register.
NY-DFS, CCPA, and State Breach Law
Reasonable security under state breach-notification statutes and sector-specific rules (NY-DFS 23 NYCRR 500, California IPA, Massachusetts 201 CMR 17, North Carolina General Statute 75-65) is increasingly defined by case law as a real penetration test, not a scan. We deliver evidence that meets the "reasonable" standard a state attorney general would apply during a post-breach review.
Implementation Group 2 and 3
CIS Controls v8 Safeguard 18 (Penetration Testing) sits in Implementation Group 2 and Group 3 maturity. Our engagements are mapped to CIS Safeguards 18.1 through 18.5, so the deliverable can be dropped into a CIS maturity report without rewriting.
What You Get From Petronella That You Will Not Get From a Scanner Vendor
Penetration testing is human-led work and the operator behind the keyboard determines the value of the report. Below is what we put on the table.
Engagement Discipline
- CMMC-RP credentialed operatorsEvery test is led by a Registered Practitioner under CMMC-AB RPO #1449, not a contractor passing through.
- Same-day critical reportingCritical or exploitable-from-the-internet findings are reported to your designated point of contact the same day. You do not wait for a final report to learn you have an open door.
- Validated findings, not scanner dumpsEvery finding in the deliverable has been hand-verified by the operator. No false positives.
- Free retest of critical and high findingsOnce you remediate, we retest at no additional cost so the close-out is clean evidence.
- Production stays upDenial-of-service testing only with explicit approval during agreed maintenance windows. Twenty four years and zero unplanned client outages caused by a Petronella test.
Frameworks We Run Against
- PTESPenetration Testing Execution Standard for end-to-end engagement structure and reporting consistency.
- NIST SP 800-115Technical Guide to Information Security Testing and Assessment.
- OWASP Testing Guide v4For web applications. OWASP API Security Top 10 for API engagements. MASVS for mobile.
- MITRE ATT&CKAdversary tactic and technique tagging on every finding so the deliverable maps to your SIEM detection coverage.
- CVSS v3.1Industry-standard scoring with environmental adjustments so the report reflects your context, not a generic CVE rating.
Penetration Testing Under CMMC 2.0 Level 2
The CMMC 2.0 final rule, codified at 32 CFR Part 170 with the assessment process codified at 32 CFR Part 170 and 48 CFR (DFARS) updates pending the contract-clause rule, defines Level 2 as the protection level required for any defense contractor whose contract touches Controlled Unclassified Information. Assessments at Level 2 are conducted by an authorized C3PAO (Certified Third-Party Assessment Organization) and the pre-assessment evidence package is the difference between a clean conditional and a remediation cycle.
Petronella runs penetration tests sized to that package. Our deliverables include the Security Assessment Report tagged directly to NIST SP 800-171 Revision 2 controls in the 3.12 family (Security Assessment), the 3.11 family (Risk Assessment), and the 3.14 family (System and Information Integrity). The pen-test evidence then feeds the System Security Plan and the Plan of Action and Milestones submitted into the Supplier Performance Risk System (SPRS) under DFARS clause 252.204-7019.
Practice 1.1.2 in CMMC Practice Area 1 expects evidence of authorized access to CUI. A penetration test demonstrates the authorization boundary holds against the adversary model the practice contemplates. Practice 13.1.1 expects boundary protection - the pen test is the evidence that the boundary works under attempted breach. Our CMMC-RP team writes the narrative section so it reads the way a C3PAO assessor wants it to read on the day of the on-site visit.
If you are early in the CMMC journey we recommend pairing a Level 2 readiness pen test with a C3PAO selection conversation. The two scopes interlock and timing the pen test six to nine months before the formal assessment maximizes the value of the remediation runway. CMMC Level 1 contractors with FCI-only environments do not require a pen test by rule, but the same Practice family 3.12 expectations apply at the self-assessment standard, and we run shorter Level 1 engagements as well.
Industries That Engage Petronella for Pen Testing
Regulated verticals carry the majority of our pen-test work. The acronyms differ; the underlying scoping conversation is the same.
Credentials That Hold the Keys
Credentials are not the test. They are who you are letting inside the building during the test. Below is what is on the engagement letter.
RPO #1449
Petronella Technology Group is CMMC-AB Registered Provider Organization number 1449. Every engineer on staff is CMMC-RP credentialed. Lead operators include Craig Petronella, Blake Rea, Justin Summers, and Jonathan Wood.
DFE #604180
Founder Craig Petronella holds a state-issued Digital Forensics Examiner credential, license number 604180. The same investigative discipline that produces court-admissible evidence shapes how we document and chain our pen-test findings.
CCNA + CWNE
Cisco Certified Network Associate plus Certified Wireless Network Expert - the highest-tier vendor-neutral wireless credential. We run wireless engagements the way the credential's exam expects them to be run.
BBB A+ Since 2003
Better Business Bureau A+ continuously since 2003. Twenty plus years on the same NC street. 5540 Centerview Drive, Suite 200, Raleigh, North Carolina 27606.
Founded 2002
Petronella Technology Group has run security work for North Carolina and national clients for over two decades. We have watched the threat model change from worms to ransomware to nation-state supply chain compromise, and the methodology has adapted at each stage.
Author and Speaker
Craig Petronella is the published author of cybersecurity titles available on Amazon and has been a contributor to industry publications. The same threat narrative that shows up in print and on conference stages drives the threat-model conversation we open the engagement with.
Five Pen-Test Scoping Mistakes That Cost Money Later
We watch the same scoping errors recur quarter after quarter. Each one inflates the cost of the engagement, the cost of remediation, or the cost of the audit cycle that follows.
Mistake one: scoping by IP count instead of by attack surface. An asset that exposes a single port to the internet can produce more risk than ten internal workstations. The right scoping conversation starts with the data, the workflow, and the business obligation, not a netblock CIDR. Petronella scoping calls open with "what would an attacker want from you" and only then move to in-scope hostnames.
Mistake two: excluding the application that holds the regulated data. Web applications and APIs are routinely scoped out of network pen tests on the assumption they got tested last cycle. The application is exactly where exfiltration occurs. If the engagement is about CMMC, HIPAA, PCI, or SOC 2 evidence, the application is in scope or the deliverable does not cover the actual risk.
Mistake three: skipping internal testing. An external-only engagement reports the strength of the perimeter. It says nothing about what happens when one phished workstation lands inside the building. PCI DSS v4 names this explicitly at Requirement 11.4.2. CMMC L2 inherits the same expectation through control family 3.12. Skipping internal pen testing produces a report that satisfies neither.
Mistake four: undersized social engineering. A pen test with a five-target phishing simulation produces noise rather than data. Statistically meaningful phishing requires twenty plus targets minimum and an honest read of department-level click rates. Underscoped social engineering still costs operator hours and produces nothing actionable for the security awareness program.
Mistake five: no remediation runway in the engagement letter. A pen test that closes the day the report ships, with no agreed retest window, is an audit artifact rather than a security improvement. The free critical-and-high retest in the Petronella engagement letter exists exactly to prevent this. Schedule the retest inside the engagement letter, not after.
What Lands in Your Inbox When the Test Closes
A Petronella penetration testing engagement closes with a four-part deliverable. The executive summary runs two to four pages and is written for the board, the audit committee, and your cyber insurance broker. It opens with the business-risk narrative - what an attacker could reach, what regulated data was in play, and what the dollar-impact estimate looks like under a reasonable assumption set. It closes with a prioritized remediation list so leadership can make budget decisions inside one read.
The technical findings appendix is the long document - typically 40 to 120 pages depending on scope. Each finding gets a unique identifier, a CVSS v3.1 base score, an environmental score adjusted for your context, a MITRE ATT&CK technique tag, evidence (screenshots, captured requests, payloads, log excerpts), likelihood and impact analysis, and a step-by-step remediation walkthrough. Findings are grouped by severity and by affected system so your engineers can attack the work in the order that closes the most risk per hour spent.
The remediation worksheet ships as a spreadsheet your IT team can drop into a ticketing system. Columns include finding ID, system affected, severity, owner placeholder, target close date, evidence-of-fix requirement, and retest status. The worksheet is the bridge between the appendix and the work that closes the loop.
The retest letter arrives once you have remediated critical and high findings. The retest is included at no additional cost. The letter says what we retested, what we confirmed remediated, and what we recommend track on the next engagement. That letter is the artifact your auditor or your insurer asks for at renewal.
Engagements also include a debrief call. Optional purple-team workshops are available for clients who want their internal detection and response team to walk every step of the attack tree alongside our operator and tune SIEM detections in real time.
The First Thirty Days After the Report Lands
The penetration testing report has the highest signal-to-noise ratio of any document in your security program. It tells you exactly what to fix and in what order. The thirty days that follow are where the value of the engagement is either realized or evaporated. Petronella structures the post-engagement window the same way every time.
Days one through five: the debrief call walks every critical and high finding with your IT lead, your CISO or vCISO, and where appropriate your auditor or compliance officer. We answer questions, demonstrate exploitation paths on request, and triage remediation ownership. The remediation worksheet leaves the call populated with owner names and target close dates.
Days six through fifteen: critical findings ship into the patch cycle and the change-management process. Where infrastructure-level changes are needed - firewall ACL revisions, identity provider hardening, segmentation enforcement - we are available on a quick call to validate the proposed fix matches the threat model the finding documented. Most critical findings close inside this window.
Days sixteen through twenty-five: high findings close. Awareness training adjusts to reflect what the phishing simulation revealed. Detection engineering tunes SIEM rules to fire on the MITRE ATT&CK techniques the operator chained, so the next attacker that walks the same path produces a same-day alert instead of a thirty-day dwell time.
Days twenty-six through thirty: Petronella runs the free retest of critical and high findings. The retest letter ships within five business days of the retest itself. That letter is the artifact your auditor, your insurer, your prime contractor, or your board wants to see, and it closes the engagement loop with documented evidence the remediation held.
Medium and informational findings are tracked on the worksheet for closure inside the next quarterly cycle, not the immediate window. The right cadence is to schedule the next penetration testing engagement at the eleven-month mark so the annual evidence requirement never lapses, and the threat model gets a fresh adversary look while the remediation muscle is still warm.
Penetration Testing Questions Decision-Makers Ask
Selected from scoping calls with regulated organizations across the Triangle, North Carolina, and nationally.
What is the difference between a penetration test and a vulnerability scan?
How often should we run penetration testing?
Will penetration testing disrupt our production systems?
How much does penetration testing cost?
Is penetration testing required for CMMC Level 2?
Do you offer black box, gray box, and white box testing?
What if you find a critical vulnerability mid-engagement?
What is included in the report?
Do you sign Business Associate Agreements for HIPAA work?
Where are your operators based?
Pair Penetration Testing With
Penetration testing is most valuable as part of a security program. These pages cover the work that wraps around it.
Penetration Testing Across North Carolina
Petronella runs penetration testing engagements across the Triangle and statewide. National engagements are scoped on request.
Penetration Testing Service Areas
Scope Your Next Penetration Testing Engagement
Free 30-minute scoping call. A Petronella engineer walks the scope conversation, names the controls the deliverable will map to, and produces a fixed-fee engagement letter inside three business days.